This is an ancient bug workaround for Netscape clients. The documentation
talks about versions 3.x and 4.x beta.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Document SSL_get_extms_support().
Modify behaviour of SSL_get_extms_support() so it returns -1 if the
master secret support of the peer is not known (e.g. handshake in progress).
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Not interested in helping the NSA in the slightest.
And anyway, it was never implemented, #if'd out.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Remove OPENSSL_NO_BUF_FREELISTS. This was turned on by default,
so the work here is removing the 'maintain our own freelist' code.
Also removed a minor old Windows-multibyte/widechar conversion flag.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Remove support for SHA0 and DSS0 (they were broken), and remove
the ability to attempt to build without SHA (it didn't work).
For simplicity, remove the option of not building various SHA algorithms;
you could argue that SHA_224/256/384/512 should be kept, since they're
like crypto algorithms, but I decided to go the other way.
So these options are gone:
GENUINE_DSA OPENSSL_NO_SHA0
OPENSSL_NO_SHA OPENSSL_NO_SHA1
OPENSSL_NO_SHA224 OPENSSL_NO_SHA256
OPENSSL_NO_SHA384 OPENSSL_NO_SHA512
Reviewed-by: Richard Levitte <levitte@openssl.org>
Per discussion: should not exit. Should not print to stderr.
Errors are ignored. Updated doc to reflect that, and the fact
that this function is to be avoided.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Removed CHANGES.SSLeay
Udpate README to be current.
Updated fignerprints.txt to list only current release signers and
to explain that is what it's used for.
Removed the following:
c-indentation.el -- doesn't go with our coding style
openssl-shared.txt -- old info about shared library aides
openssl.txt -- old info about X509v3 extension support/syntax
ssleay.txt -- old info about OpenSSL's predecessor, back when
programmers coded on COBOL sheets by candlelight
Reviewed-by: Richard Levitte <levitte@openssl.org>
Show only the #define, not the values, in BIO_f_buffer. Data
abstraction and we can remove a "see also" entry.
Remove internal forward reference to NOTES in EVP_EncryptInit; just
say "see below" as we do in the other pages.
Add missing (3) in pem.pod so the L<> entry is consistent.
Fix entry to point to the "master" page, not the symlink'd one.
Reviewed-by: Matt Caswell <matt@openssl.org>
OpenSSL clients would tolerate temporary RSA keys in non-export
ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
enabled this server side. Remove both options as they are a
protocol violation.
Thanks to Karthikeyan Bhargavan for reporting this issue.
(CVE-2015-0204)
Reviewed-by: Matt Caswell <matt@openssl.org>
MS Server gated cryptography is obsolete and dates from the time of export
restrictions on strong encryption and is only used by ancient versions of
MSIE.
Reviewed-by: Matt Caswell <matt@openssl.org>
* adds links to various related documents.
* fixes a few typos.
* rewords a few sentences.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
In EVP_EncryptInit remove duplicate mention of EVP_idea_cbc()
In EVP_PKEY_CTX_ctrl.pod remove EVP_PKEY_get_default_digest_nid
since it is documented elsewhere.
Reviewed-by: Richard Levitte <levitte@openssl.org>
The current documentation contains a bunch of spelling and grammar mistakes. I also
found it hard to understand some paragraphs, so here is my attempt to improve its
readability.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Fix CONF_load_modules to CONF_modules_load.
Document that it calls exit.
Advise against using it now.
Add an error print to stderr.
Reviewed-by: Matt Caswell <matt@openssl.org>
Out is the buffer which needs to contain at least inl + cipher_block_size - 1 bytes. Outl
is just an int*.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
If data is NULL, return the size needed to hold the
derived key. No other API to do this, so document
the behavior.
Reviewed-by: Richard Levitte <levitte@openssl.org>
pod2man now complains when item tags are not sequential.
Also complains about missing =back and other tags.
Silence the warnings; most were already done.
Reviewed-by: Tim Hudson <tjh@openssl.org>
The original RT request included a patch. By the time
we got around to doing it, however, the callback scheme
had changed. So I wrote a new function RSA_check_key_ex()
that uses the BN_GENCB callback. But thanks very much
to Vinet Sharma <vineet.sharma@gmail.com> for the
initial implementation.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
i2d_re_X509_tbs re-encodes the TBS portion of the certificate.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
RT842, closed back in 2004, changed the default serial number
to be a random number rather than zero. Finally time to update
the doc
Reviewed-by: Tim Hudson <tjh@openssl.org>
Add .crt/.cer/.crl to the filenames parsed.
I also updated the podpage (since it didn't exist when
this ticket was first created, nor when it was re-created
seven years later).
Reviewed-by: Tim Hudson <tjh@openssl.org>
Re-order algorithm list.
Be consistent in command synopsis.
Add content about signing.
Add EXAMPLE section
Add some missing options: -r, -fips-fingerprint -non-fips-allow
Various other fixes.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Andy found an additional typo "can be can be".
Now I have that silly "Que sera sera" song stuck in my head.
Reviewed-by: Andy Polyakov <appro@openssl.org>
